daeb925cc8
backport many ssl features from Python 3 ( closes #21308 )
...
A contribution of Alex Gaynor and David Reid with the generous support of
Rackspace. May God have mercy on their souls.
2014-08-20 14:14:50 -05:00
3b2afbbf88
Issue #20207 : Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly asked for.
2014-01-09 19:52:12 +01:00
41a7d5ee17
Issue #19227 / Issue #18747 : Remove pthread_atfork() handler to remove OpenSSL re-seeding
...
It is causing trouble like e.g. hanging processes.
2013-10-29 20:50:01 +01:00
87c99a0d37
Properly initialize all fields of a SSL object after allocation.
2013-09-29 19:52:45 +02:00
5eb6e3b40d
Issue #18709 : GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
2013-09-05 16:05:50 +02:00
ed9884b2d0
Issue #18709 : GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
2013-09-05 16:04:35 +02:00
8ee5ffddf5
Issue #18747 : Fix spelling errors in my commit message and comments,
...
thanks to Vajrasky Kok for proof-reading.
2013-08-25 14:19:16 +02:00
82f8828317
- Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for `rfc822Name` (email), `dNSName` (DNS) and
`uniformResourceIdentifier` (URI).
2013-08-23 13:26:49 -04:00
1d0f73d20f
Issue #18747 : Use a parent atfork handler instead of a child atfork handler.
...
fork() is suppose to be async-signal safe but the handler calls unsafe functions. A parent handler mitigates the issue.
2013-08-22 13:19:48 +02:00
0d604cf65e
Issue #18747 : Re-seed OpenSSL's pseudo-random number generator after fork.
...
A pthread_atfork() child handler is used to seeded the PRNG with pid, time
and some stack data.
2013-08-21 13:26:05 +02:00
10107813ac
Issue #18777 : The ssl module now uses the new CRYPTO_THREADID API of
...
OpenSSL 1.0.0+ instead of the deprecated CRYPTO id callback function.
2013-08-19 17:36:29 +02:00
b4ec842f39
Issue 18768: Correct doc string of RAND_edg(). Patch by Vajrasky Kok.
2013-08-17 17:25:18 +02:00
f1bd47ae14
Issue #18768 : coding style nitpick. Thanks to Vajrasky Kok
2013-08-17 17:18:56 +02:00
419e23cbb0
#18466 : fix more typos. Patch by Févry Thibault.
2013-08-17 16:56:09 +03:00
88b174c977
Issue #18709 : Fix CVE-2013-4238. The SSL module now handles NULL bytes
...
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for rfc822Name (email), dNSName (DNS) and
uniformResourceIdentifier (URI).
2013-08-17 00:54:47 +02:00
c1a44269da
Issue #18135 : ssl.SSLSocket.write() now raises an OverflowError if the input
...
string in longer than 2 gigabytes. The ssl module does not support partial
write.
2013-06-25 00:48:02 +02:00
4807df41ad
Issue #18135 : Fix a possible integer overflow in ssl.SSLSocket.write()
...
for strings longer than 2 gigabytes.
2013-06-23 15:15:10 +02:00
c5bef75c77
Issue #15604 : Update uses of PyObject_IsTrue() to check for and handle errors correctly.
...
Patch by Serhiy Storchaka.
2012-08-15 23:16:51 +02:00
d358e0554b
Issue #13885 : CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
2012-01-27 09:42:45 +01:00
dd7e071b23
Issue #13014 : Fix a possible reference leak in SSLSocket.getpeercert().
2012-02-15 22:25:27 +01:00
374b4ea9da
Issue #13885 : CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
2012-01-27 09:44:08 +01:00
aa1c967f93
Issue #13458 : Fix a memory leak in the ssl module when decoding a certificate with a subjectAltName.
...
Patch by Robert Xiao.
2011-11-23 01:39:19 +01:00
f06eb46918
Issue #13034 : When decoding some SSL certificates, the subjectAltName extension could be unreported.
2011-10-01 19:30:58 +02:00
fda7b379ac
Issue #12287 : Fix a stack corruption in ossaudiodev module when the FD is
...
greater than FD_SETSIZE.
2011-08-28 16:22:33 +02:00
b1241f9619
(Merge 3.1) Issue #12012 : ssl.PROTOCOL_SSLv2 becomes optional
...
OpenSSL is now compiled with OPENSSL_NO_SSL2 defined (without the SSLv2
protocol) on Debian: fix the ssl module on Debian Testing and Debian Sid.
Optimize also ssl.get_protocol_name(): speed does matter!
2011-05-10 01:52:03 +02:00
a9b1689a89
Merged revisions 87140 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r87140 | hirokazu.yamamoto | 2010-12-09 19:49:00 +0900 (木, 09 12 2010) | 2 lines
Should call Py_INCREF for Py_None (Modules/_ssl.c: PySSL_cipher)
........
2010-12-09 12:12:42 +00:00
8e73403284
Merged revisions 85432 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r85432 | benjamin.peterson | 2010-10-13 17:06:39 -0500 (Wed, 13 Oct 2010) | 1 line
constify to appease compiler warnings
........
2010-10-13 22:10:31 +00:00
c1ef2fa45f
Merged revisions 83680,83685 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/release27-maint
................
r83680 | mark.dickinson | 2010-08-03 19:34:53 +0100 (Tue, 03 Aug 2010) | 9 lines
Merged revisions 83677 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r83677 | mark.dickinson | 2010-08-03 19:31:54 +0100 (Tue, 03 Aug 2010) | 1 line
Fix memory leak in ssl module.
........
................
r83685 | mark.dickinson | 2010-08-03 19:46:28 +0100 (Tue, 03 Aug 2010) | 9 lines
Merged revisions 83683 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r83683 | mark.dickinson | 2010-08-03 19:44:16 +0100 (Tue, 03 Aug 2010) | 1 line
Misc/NEWS entry for r83677.
........
................
2010-08-03 18:50:32 +00:00
793c71ce52
Merged revisions 83677 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/branches/py3k
........
r83677 | mark.dickinson | 2010-08-03 19:31:54 +0100 (Tue, 03 Aug 2010) | 1 line
Fix memory leak in ssl module.
........
2010-08-03 18:34:53 +00:00
b4f0e644bc
Merged revisions 82210 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/trunk
........
r82210 | antoine.pitrou | 2010-06-25 02:03:21 +0200 (ven., 25 juin 2010) | 4 lines
Issue #9075 : In the ssl module, remove the setting of a `debug` flag
on an OpenSSL structure.
........
2010-06-25 00:09:05 +00:00
0dddf600d4
Issue #9075 : In the ssl module, remove the setting of a `debug` flag
...
on an OpenSSL structure.
2010-06-25 00:03:21 +00:00
b6e3e3ab92
Merged revisions 81241 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/trunk
........
r81241 | antoine.pitrou | 2010-05-17 01:11:46 +0200 (lun., 17 mai 2010) | 4 lines
Clear the OpenSSL error queue each time an error is signalled.
When the error queue is not emptied, strange things can happen on the next SSL call, depending on the OpenSSL version.
........
2010-05-16 23:14:34 +00:00
508a237c97
Clear the OpenSSL error queue each time an error is signalled.
...
When the error queue is not emptied, strange things can happen on the next SSL call, depending on the OpenSSL version.
2010-05-16 23:11:46 +00:00
96125cf170
Merged revisions 81115 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/trunk
........
r81115 | antoine.pitrou | 2010-05-12 16:02:34 +0200 (mer., 12 mai 2010) | 3 lines
Improve _ssl.c formatting
........
2010-05-12 14:05:34 +00:00
2e136abd16
Improve _ssl.c formatting
2010-05-12 14:02:34 +00:00
7fd622afd7
Merged revisions 80789 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/trunk
........
r80789 | antoine.pitrou | 2010-05-05 17:53:45 +0200 (mer., 05 mai 2010) | 3 lines
Untabify Modules/_ssl.c
........
2010-05-05 15:59:19 +00:00
a4c2a5c9a0
Untabify Modules/_ssl.c
2010-05-05 15:53:45 +00:00
949476ee58
Remove unneeded variable initialization.
...
Found using Clang's static analyzer.
2010-05-03 23:41:23 +00:00
bcc17e7223
Merged revisions 80540 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/trunk
........
r80540 | antoine.pitrou | 2010-04-27 21:09:59 +0200 (mar., 27 avril 2010) | 4 lines
Issue #8549 : Fix compiling the _ssl extension under AIX. Patch by
Sridhar Ratnakumar.
........
2010-04-27 19:13:23 +00:00
1dc6b08f9e
Issue #8549 : Fix compiling the _ssl extension under AIX. Patch by
...
Sridhar Ratnakumar.
2010-04-27 19:09:59 +00:00
c689d96044
Merged revisions 80451-80452 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/trunk
........
r80451 | antoine.pitrou | 2010-04-24 21:57:01 +0200 (sam., 24 avril 2010) | 4 lines
The do_handshake() method of SSL objects now adjusts the blocking mode of
the SSL structure if necessary (as other methods already do).
........
r80452 | antoine.pitrou | 2010-04-24 22:04:58 +0200 (sam., 24 avril 2010) | 4 lines
Issue #5103 : SSL handshake would ignore the socket timeout and block
indefinitely if the other end didn't respond.
........
2010-04-24 20:13:37 +00:00
4d3e372ff3
The do_handshake() method of SSL objects now adjusts the blocking mode of
...
the SSL structure if necessary (as other methods already do).
2010-04-24 19:57:01 +00:00
07072168fb
Merged revisions 80392 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/trunk
........
r80392 | antoine.pitrou | 2010-04-23 01:33:02 +0200 (ven., 23 avril 2010) | 9 lines
Issue #8108 : Fix the unwrap() method of SSL objects when the socket has
a non-infinite timeout. Also make that method friendlier with applications
wanting to continue using the socket in clear-text mode, by disabling
OpenSSL's internal readahead. Thanks to Darryl Miles for guidance.
Issue #8108 : test_ftplib's non-blocking SSL server now has proper handling
of SSL shutdowns.
........
2010-04-23 21:07:58 +00:00
a5c4b5515f
Issue #8108 : Fix the unwrap() method of SSL objects when the socket has
...
a non-infinite timeout. Also make that method friendlier with applications
wanting to continue using the socket in clear-text mode, by disabling
OpenSSL's internal readahead. Thanks to Darryl Miles for guidance.
Issue #8108 : test_ftplib's non-blocking SSL server now has proper handling
of SSL shutdowns.
2010-04-22 23:33:02 +00:00
878602a284
Merged revisions 80314-80315 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/trunk
........
r80314 | antoine.pitrou | 2010-04-21 21:28:03 +0200 (mer., 21 avril 2010) | 5 lines
Issue #8484 : Load all ciphers and digest algorithms when initializing
the _ssl extension, such that verification of some SSL certificates
doesn't fail because of an "unknown algorithm".
........
r80315 | antoine.pitrou | 2010-04-21 21:36:23 +0200 (mer., 21 avril 2010) | 3 lines
Forgot to add the sample certificate (followup to r80314)
........
2010-04-21 19:41:28 +00:00
c715a9ed08
Issue #8484 : Load all ciphers and digest algorithms when initializing
...
the _ssl extension, such that verification of some SSL certificates
doesn't fail because of an "unknown algorithm".
2010-04-21 19:28:03 +00:00
0a6373c1a9
Issue #8322 : Add a *ciphers* argument to SSL sockets, so as to change the
...
available cipher list. Helps fix test_ssl with OpenSSL 1.0.0.
2010-04-17 17:10:38 +00:00
343314a11c
Revert r79915 (temporary commit to check for buildbots -> the fix was successful)
2010-04-09 22:41:31 +00:00
9c6cd56e91
Temporarily commit fix to issue #8108 , to check for buildbot response
2010-04-09 21:00:36 +00:00
206685be96
Merged revisions 79910 via svnmerge from
...
svn+ssh://pythondev@svn.python.org/python/trunk
........
r79910 | antoine.pitrou | 2010-04-09 22:38:39 +0200 (ven., 09 avril 2010) | 4 lines
SSL_MODE_AUTO_RETRY has been added in OpenSSL 0.9.6. Fix compilation
with earlier versions.
........
2010-04-09 20:44:09 +00:00
Benjamin Peterson
Antoine Pitrou
Christian Heimes
Barry Warsaw
Ezio Melotti
Victor Stinner
Charles-François Natali
Victor Stinner
Hirokazu Yamamoto
Mark Dickinson
Brett Cannon